ADD THE TRIPWIRE SECURITY COMPONENT

Setup Tripwire (ref: http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/ch-tripwire.html)
Edit the /etc/tripwire/twcfg.txt file to reflect the following:

EDITOR =/usr/bin/pico

Edit the /etc/tripwire/twpol.txt file to reflect the following:

(emailto = "me@me.com")
{
! /proc;
/ -> $(ReadOnly);
! /dev;
/boot -> $(ReadOnly);
/tmp -> $(ReadOnly);
/var/log -> $(ReadOnly);
/var/log/httpd/access_log -> l;
/var/log/httpd/error_log -> l;
}

Install/Setup (only once):

/etc/tripwire/twinstall.sh
site key: web site key
local key: web local key

Initialize:

/usr/sbin/tripwire --init

Check:
/usr/sbin/tripwire --check

View logs:
/usr/sbin/twprint -m r --twrfile /var/lib/tripwire/report/.twr | less

Remove files unneeded by default setup
pico /etc/tripwire/twpol.txt

Generate new policy file:
/usr/sbin/twadmin --create-polfile -S site.key /etc/tripwire/twpol.txt

Initialize again:
/usr/sbin/tripwire --init

Cron will check daily
View logs:
/usr/sbin/twprint -m r --twrfile /var/lib/tripwire/report/.twr | less 
Update the database:
/usr/sbin/tripwire --update --twrfile /var/lib/tripwire/report/.twr 
Customize.

Tags: tripwire

This entry was posted on Friday, April 13th, 2007 at 8:53 pm and is filed under BSD, Centos, Debian, Fedora, FreeBSD, Linux, Redhat, Ubuntu. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.